Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework
Abstract
The Vulnerability Response Decision Assistance (VRDA) framework is a decision support and expert system designed to model how organizations individually respond to vulnerability reports. By encoding vulnerability response knowledge in VRDA, organizations can make more consistent decisions and better prioritize their efforts. VRDA is descriptiveit aims to reproduce how an organization actually responds. This paper examines the effectiveness of VRDA in terms of how well it predicts responses. Decision data from three participating organizations was analyzed to determine how well decisions predicted by VRDA compared to decisions made by the organizations expert analysts. An implementation of VRDA called KENGINE was used to collect vulnerability report data, generate decision models, predict responses, and record actual responses. Variations between predicted and actual responses may be caused by lack of sufficient or necessary vulnerability data, bias of expert analysts, poor decision logic, or some other unforeseen reason. Comparisons between different organizations, data sets, and decision models show that VRDA is accurate enough to give practical assistance with vulnerability response, although accuracy varies among individual decisions.
Document Details
- Document Type
- Technical Report
- Publication Date
- Aug 01, 2009
- Accession Number
- AD1147213
Entities
People
- Art Manion
- Kazuya Togashi
Organizations
- Carnegie Mellon University